The most recent content from our members.
Right now, if I need to include IPs 10.10.10.1 through 10.10.10.63 and nothing else as part of a User Defined Group, I would have to add 26 objects so as to be exact. If LEM had the ability to use CIDR, then that would only require 1 object.
Disclaimer: You shouldn't really be relying on your SIEM to protect you from ransom- and mal-ware. LEM is not an antivirus or malware scanner. Also, I didn't have a lab isolated enough that I felt comfortable deploying the actual virus code, so this is an approximation of the sorts of events you might see. I provide this…
Seems like a common question I get asked doing demos is "How would this detect CryptoLocker?" That's a complicated question, but someone was kind enough to point me to an article that broke down what CW3 does. I've spent some time putting a rule together. Now, caveats: * I haven't (to my knowledge) been infected by CW3, so…
This pack has two rules. One of them infers a "VPNConnection" event with the Info "User Successfully Connected to VPN" and the other infers a "VPNConnection" event with the info "VPN Connection Terminated." The "Established" rule is based off thresholds for a Cisco ASA, AnyConnect VPN client and LDAP authentication,…
Hi all I have checkpoint opsec connector which stops frequently(Every few days, I have to restart it manually every time),. so I want to ask if there is a way to set it to restart the connector automatically if it stops. LEM ver: 6.2.0 Thanks
Based on this article from Symantec, pulled Dec 03 2015 W32.Bugbear@mm Technical Details | Symantec ZIP includes a User Defined Group for the list of processes, and a rule. Both can be imported into LEM, though you may have to re-add the group to the Rule. Created in response to this thread: W32.Bugbear
I've got directory service groups for all privileged groups in AD, and I'm looking for a way to trigger email only if the account is in one of those groups. I have [AuditableUserEvents].DestinationAccount, but how do I check to see if it is a member of a set of directory service groups?
With LEM 6.2 RC going on, and the impending release of 6.2, I've been using and abusing Threat Intelligence Feeds to find out some of the ways that this can fail. * These rules will only produce results on LEM 6.2 or later * These rules were written and tested on 6.2RC1 (as of Aug 21 2015) * There are three rules in the…
I'm somewhat new to LEM and was looking at using the Block IP active response in a rule. I don't see any option in the rule builder to select which of the LEM connected firewalls I want to block the IP on. If I start this rule will it attempt to block the specified IP on all of my firewalls or just the one the log came…
Hello, I have problems with setting up Rules for SNMP Traps received from SolarWinds. SNMP Trap connector is set: Filters for traps were created: and I can see received SNMP Trap messages: Rules section: For any other InternalNewToolData I can create rule and get incident: No luck with Traps received from SolarWinds (even…
It looks like you're new here. Sign in or register to get started.